MIME-Version: 1.0
In-Reply-To: <54A252EA.1010905@iki.fi>
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com>
 <54A252EA.1010905@iki.fi>
Date: Tue, 30 Dec 2014 15:40:49 +0100
Message-ID: <CADwHJ+8yyOBM7cT-fQwHHvaDF=9vHHdA-=DMMrZBfD_VFGXS9Q@mail.gmail.com>
From: Maarten Bodewes <maarten.bodewes@gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary=047d7b3a94422b20d8050b6ffae6
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M08EO3rh5fbqPVZphKjIzqUjlps
Subject: Re: [TLS] Do we need DH?
Precedence: list

--047d7b3a94422b20d8050b6ffae6
Content-Type: text/plain; charset=UTF-8

On Tue, Dec 30, 2014 at 8:23 AM, Tapio Sokura <tapio.sokura@iki.fi> wrote:

>
> With regards to all eggs being in the same basket, AES is also something
> that really should have a realistic alternative standardized and
> deployed _before_ (/if) AES is broken. Like SHA-3 is coming around the
> corner while SHA-2 is still well alive and kicking.
>

Although it doesn't invalidate the rest of your argument, the SHA-3
competition was started up when SHA-1 was under significant attack. It
wasn't clear at that time if SHA-2 would be affected as well. By now no
SHA-1 collisions have been found, and - more importantly - the attacks on
SHA-1 don't seem to translate to SHA-2. This is probably a main reason why
at the time of writing SHA-3/Keccak is still not finalized as a standard
(although I expect it will be soon).

The main problem with ECDH is that it can be executed without performing
enough verification on the parameters or public key. But those issues are
present for DH as well. So in my opinion the main thing speaking for DH is
it's relative simplicity of implementation compared to ECDH (for some
libraries ECDH is slower than DH for comparative levels of security for
this reason alone!).

Regards,
Maarten

--047d7b3a94422b20d8050b6ffae6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
On Tue, Dec 30, 2014 at 8:23 AM, Tapio Sokura <span dir=3D"ltr">&lt;<a href=
=3D"mailto:tapio.sokura@iki.fi" target=3D"_blank">tapio.sokura@iki.fi</a>&g=
t;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
With regards to all eggs being in the same basket, AES is also something<br=
>
that really should have a realistic alternative standardized and<br>
deployed _before_ (/if) AES is broken. Like SHA-3 is coming around the<br>
corner while SHA-2 is still well alive and kicking.<br>
<span class=3D"HOEnZb"></span></blockquote><div><br></div><div>Although it =
doesn&#39;t invalidate the rest of your argument, the SHA-3 competition was=
 started up when SHA-1 was under significant attack. It wasn&#39;t clear at=
 that time if SHA-2 would be affected as well. By now no SHA-1 collisions h=
ave been found, and - more importantly - the attacks on SHA-1 don&#39;t see=
m to translate to SHA-2. This is probably a main reason why at the time of =
writing SHA-3/Keccak is still not finalized as a standard (although I expec=
t it will be soon).<br><br></div><div>The main problem with ECDH is that it=
 can be executed without performing enough verification on the parameters o=
r public key. But those issues are present for DH as well. So in my opinion=
 the main thing speaking for DH is it&#39;s relative simplicity of implemen=
tation compared to ECDH (for some libraries ECDH is slower than DH for comp=
arative levels of security for this reason alone!).<br><br></div><div>Regar=
ds,<br></div><div>Maarten<br></div></div></div></div>

--047d7b3a94422b20d8050b6ffae6--